Google Chronicle SecOps
What is Google Chronicle SecOps?
Google Chronicle SecOpsGoogle Cloud's cloud-native SIEM and SOAR (formerly Backstory) that stores petabyte-scale telemetry at a flat per-employee price and queries it with the YARA-L detection language.
Google Chronicle SecOps, originally launched in 2018 by Alphabet's Chronicle subsidiary as Backstory, is a SIEM built on Google's BigQuery-class infrastructure. It ingests raw security telemetry at unlimited volume, normalises it into the Unified Data Model (UDM), and offers detections written in YARA-L 2.0 alongside curated detections from Mandiant (acquired by Google in 2022). Pricing is typically per employee rather than per gigabyte, removing log-volume friction. Chronicle SecOps now integrates Siemplify SOAR (acquired 2022), Mandiant threat intel, the Gemini-powered Duet AI for Security assistant, and connects to Google Security Operations dashboards. It competes with Splunk ES and Microsoft Sentinel in the enterprise SIEM market.
● Examples
- 01
Writing a YARA-L rule to detect new top-level domains contacted by a host within five minutes of an EDR alert.
- 02
Pivoting from a Mandiant threat-intel match to all UDM events from the same IP in the last year, at sub-second latency.
● Frequently asked questions
What is Google Chronicle SecOps?
Google Cloud's cloud-native SIEM and SOAR (formerly Backstory) that stores petabyte-scale telemetry at a flat per-employee price and queries it with the YARA-L detection language. It belongs to the Defense & Operations category of cybersecurity.
What does Google Chronicle SecOps mean?
Google Cloud's cloud-native SIEM and SOAR (formerly Backstory) that stores petabyte-scale telemetry at a flat per-employee price and queries it with the YARA-L detection language.
How does Google Chronicle SecOps work?
Google Chronicle SecOps, originally launched in 2018 by Alphabet's Chronicle subsidiary as Backstory, is a SIEM built on Google's BigQuery-class infrastructure. It ingests raw security telemetry at unlimited volume, normalises it into the Unified Data Model (UDM), and offers detections written in YARA-L 2.0 alongside curated detections from Mandiant (acquired by Google in 2022). Pricing is typically per employee rather than per gigabyte, removing log-volume friction. Chronicle SecOps now integrates Siemplify SOAR (acquired 2022), Mandiant threat intel, the Gemini-powered Duet AI for Security assistant, and connects to Google Security Operations dashboards. It competes with Splunk ES and Microsoft Sentinel in the enterprise SIEM market.
How do you defend against Google Chronicle SecOps?
Defences for Google Chronicle SecOps typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Google Chronicle SecOps?
Common alternative names include: Chronicle SecOps, Chronicle SIEM, Backstory.
● Related terms
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 1062
SOAR
A platform that automates and orchestrates SOC workflows by chaining detections, enrichments and response actions into playbooks executed across security tools.
- defense-ops№ 1080
Splunk Enterprise Security
A commercial SIEM solution from Splunk Inc. (acquired by Cisco in 2024) that ingests, indexes, and correlates machine data using the Splunk Processing Language (SPL) for security monitoring and investigation.
- defense-ops№ 680
Microsoft Sentinel
A cloud-native SIEM and SOAR service from Microsoft running on Azure, querying logs with Kusto Query Language (KQL) and integrating natively with Microsoft 365 Defender and Azure data sources.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.